It's pretty common to run VMs within containers so an attacker has to escape twice. You can probably disable 99% of system calls.